All
English only
Em português apenas
Most of the applications we create these days usually have an admin interface where an user with necessary privileges is able to manage the application content, respecting some business rules. Thus it is required that part of this content is easily manageable, which means the user needs to be able to add some formatting to the content. For us, it usually means that the user has to input HTML tags. And it also means that the user can do things that might break our application.
Luckily, Rails can help us since it has some helpers to sanitize and strip unwanted tags or attributes from the markup.
Strip links
If you just want to remove all links from the text you want to show, you can use the following method:
<%= strip_links 'Send e-mail to <a href="mailto:me@example.com">Me</a>.' %> Send e-mail to Me.
Strip tags
This might be a bit famous: it removes all html tags from the given markup, using html-tokenizer:
<%= strip_tags '<p class="foo">Send e-mail to <a href="mailto:me@example.com">Me</a>.</p>' %> Send e-mail to Me.
Sanitize
The sanitize helper encodes all html tags and strips all attributes that are not allowed, specially script tags.
<%= sanitize '<p id="bar" class="foo">foo bar <script>alert("I am a hacker!")</script> baz</p>' %> <p class="foo">foo bar baz</p>
For instance here the script tag was removed, and also de id attribute from the paragraph tag.
Simple format
Together with sanitize we have the simple_format helper. Besides sanitizing the given content, it automatically converts one new line into a br tag, and two or more new lines into a p tag. Lets see how it works:
<%= simple_format "I am a text \n and I want to be formatted \n\n by <strong>simple_format</strong>", :class => 'foo' %> <p class="foo">I am a text <br /> and I want to be formatted </p> <p class="foo"> by <strong>simple_format</strong></p>
So I want to change this stuff, and now, what happens?
Rails gives you the ability to configure most of what is allowed and what is not when sanitizing content. Lets see the available options:
- sanitized_uri_attributes
- sanitized_bad_tags
- sanitized_allowed_tags
- sanitized_allowed_attributes
- sanitized_allowed_css_properties
- sanitized_allowed_css_keywords
- sanitized_shorthand_css_properties
- sanitized_allowed_protocols
I believe these configs are pretty straightforward, but in case you have any doubt, check the docs in the source code. You can change any of these configs in your application file:
class Application < Rails::Application config.action_view.sanitized_allowed_tags = %w(table tr th td thead tbody tfoot) config.action_view.sanitized_allowed_protocols = %w(tel) end
Wrapping up!
These simple helpers can make our life really easier when dealing with content coming from an admin interface, allowing specific tags and attributes to be shown, and doing the most they can to remove unwanted tags.
You can see more about them in the docs:
http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html
http://api.rubyonrails.org/classes/ActionView/Helpers/TextHelper.html
What about you, do you use some Rails helper that might be in the dark? We would love to bring it to the light side, share with us!
Tags: helpers, rails, sanitize
Posted in English | 2 Comments »
Rails 3 was released this week but the minds of the Rails Core team members are already focused on the 3.1 release for quite some time. DHH was the first one to give a hint on what we would like to see in Rails 3.1 in his RailsConf talk and, as Ruby Summer of Code is close to its end, we are able to see the work of several students getting solid enough to be an important part of Rails 3.1 release.
In between all this work, I was invited to participate in three important conferences in the following months and lately I’ve prepared enough material to give a talk entitled “Rails 2.3, 3.0 and 3.1: Past, Present and Future“!
In this talk I plan to discuss many of the conceptual changes done in Rails 3 and how these changes were given life in the Rails source code, comparing, as much as possible, with Rails 2.3. After the current and past scenarios are throughly discussed, I will show how much of the work done in Rails 3 can still be improved and how several Ruby Summer of Code Projects are helping us to achieve it. And if you ever wondered how much Merb affected the Rails community, you will have a few surprises while watching this talk!
The three different conferences I mentioned above will be held in Ukraine, Brasil and Sweden. But I’m not sure if there will be anyone recording them, so I’d suggest you not to miss any of them. 
Here they are…
1) RubyConfUA (Ukraine): 16th and 17th October
If you have never been to Kyiv before (just like me), here’s a great opportunity to visit it for the first time! It will be two days of deep immersion into Ruby with nice city visits during the night!
Other active developers in the community as Oleg Andreev and Piotr Sarnacki will be present as well. By the way, RubyConf Ukraine is still accepting both sponsors and talk proposals! We are waiting for you!
2) RubyConf (Brasil): 26th and 27th October
Right after RubyConf Ukraine, I’ll be flying back to Brasil to present a portuguese version of this talk. RubyConf Brasil is the former “Rails Summit Latin America” (which has been the largest Ruby and Rails conference in Latin America for the last two years). And this year it won’t be different. Several Ruby and Rails developers (like Yehuda Katz, Charles Nutter, Evan Phoenix and many others) have confirmed their presence. If you get the chance, don’t miss it!
3) Oredev (Sweden): 8th to 12th November
And finally, my last stop will be in Sweden at the developer conference held in Malmö. This will be different from the previous two, since it is not focused in Ruby nor Rails. It’s a multitrack conference that hosts different technologies (by the way, the keynotes and tutorials programme is very interesting!). Since I’m expecting several non-Rails developers in the audience, I will slightly change my talk to focus more on the conceptual side and less on technical discussions. Also, I’ll be hosting a a workshop about Rails 3, where I’ll demonstrate a few of @plataformatec’s open source projects.
If you are coming to any of these events, please let me know in the comments!
Tags: conference, events, rails 3.1, rubyconf
Posted in English | Comments Off